Cryptome DVDs are offered by
Cryptome. Donate $25 for two DVDs of the
Cryptome 12-and-a-half-years collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to
John Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost.

Pursuant to the discussions between our offices and Mr. Anthony Coppolino
of the Justice Department, this letter requests an official advisory opinion
concerning the new encryption export regulations issued by your offices on
January 14, 2000 (hereinafter "EI regulations").

Our overall concern is that the EI regulations continue to interfere strongly
with Professor Bernstein's planned scientific activities. First, the EI
regulations continue to maintain unconstitutional and pointless distinctions
between print and electronic communications media. Second, while we recognize
that your agency intended to reduce significantly the burden on Prof. Bernstein
and others who communicate encryption software, the EI regulations remain
so complex and ambiguous that Prof. Bernstein cannot be sure whether many
of his normal scientific activities would be lawful.

Given that this matter is currently in litigation on a facial challenge,
we have three suggestions that we believe will assist both parties as well
as the general public in reviewing and relying on the matters discussed in
the Opinion.

First, we request that the Opinion be made publicly available by BXA.
Specifically, we request that it be posted on the BXA web site along with
the other encryption-related materials there. This will ensure that the
understandings that it conveys are available to all persons who may wish
to understand your interpretation of the new regulations. As you know, one
of our chief concerns is that the regulations continue to be quite complex
and difficult to understand for trained professionals, much less lay people.
Since Professor Bernstein's case is a facial challenge, making these
interpretations available to persons other than Professor Bernstein seems
a reasonable way for BXA to minimize any misunderstandings about the new
regulations that may occur.

Second, in order to make this process as fruitful to both parties as possible,
we would hope that you and your colleagues would feel free to contact us
with draft language of the opinion and other issues. We are pleased that
BXA has recently been open to a more interactive relationship with those
who are regulated by it, and hope that this can continue throughout the advisory
opinion process.

Third, as you know, the 9th Circuit has ordered supplemental briefs
concerning the new regulations that are due on 21 days from the date of issuance
of the regulations. Since the regulations were issued on January 14, 2000,
the supplemental briefs are due on February 4, 2000. Oral argument is set
for March 21, 2000. We have discussed this schedule with Mr. Coppolino and
we both believe the court would agree to a request to move the date for the
supplemental briefings somewhat in order to allow such briefing to occur
after the advisory opinion is issued. We believe it is less likely, however,
that the court will agree to move the hearing date again. Thus, we suggest
the following schedule for your response and our subsequent briefings:

Advisory Opinion: February 7, 2000.

Supplemental Briefs: March 1, 2000.

Hearing date remains: March 21, 2000

If you agree to this schedule, we will join in a request with the Justice
Department to modify the briefing schedule.

Questions for Advisory Opinion

These questions reflect our review of the regulations issued on January 14,
2000. However, most of these issues were also raised during the process leading
up to the issuance of the regulations, specifically during our meeting with
you on November 30, 1999, and in the sample "Frequently Asked Questions"
submitted to you thereafter by John Gilmore. Please feel free to refer to
that document or to contact us if you require further explanation of our
concerns.

1. Distinctions Between Source Code on Paper and Source Code in
Electronic Form.

As you know, one of the cornerstones of our Constitutional arguments in this
case has been the fact that the regulations treat software communicated in
electronic form differently from software communicated on paper. We believe
this distinction is inconsistent with the Supreme Court's decision in Reno
v. ACLU, which rejected such distinctions and held that the Internet is a
fully protected medium of expression for purposes of First Amendment analysis.
We believe the regulations remain inconsistent with this precedent in several
ways.

A. Prohibition on Electronic Publication or Communication of Source
Code if One Has "Knowledge" that Persons from Restricted Countries will Receive
the Code.

As you know, since 1990, Professor Bernstein has wished to publish encryption
source code through the Internet. In particular, he wishes to publish it
on web pages, on mailing lists, and on the Usenet newsgroup sci.crypt. Assume
Professor Bernstein knows that some of the readers are residents of Iran.
He knows this from review of his log files and review of the postings to
the newsgroups, or he knows that a computer in Iran receives a feed that
includes sci.crypt. His actions are therefore appear prohibited by section
740.13(e)(2). These actions would not be prohibited if the source code were
communicated to these persons on paper, since such publication or communication
is not subject to the EAR or EI controls.

Draft 740.13(e)(3) states, inter alia, that the mere fact of Internet publication
would not "establish'' knowledge of an export to Iran. Further, question
14 states that this includes newsgroups. But none of these appear to protect
Professor Bernstein if he already has the knowledge that persons from the
restricted countries either 1) subscribe to the newsgroup or 2) regularly
review his web page. Please advise as to whether you interpret these regulations
to prohibit publication under these circumstances and explain why or why
not.

Next, we note that the regulations add two additional countries to the prohibited
list, Serbia and Taliban Afghanistan. What is the duty of an "exporter" to
know which countries (or portions of countries in the case of Afghanistan)
are on the prohibited list at any given time? Similarly, what are the duties
of an "exporter" to check the Denied Persons List?

B. Simultaneous Notification of BXA and NSA Upon Publication.

The requirement that Professor Bernstein and others simultaneously notify
both BXA and NSA at the time of electronic publication of source code, when
no such notification is required for publication or communication of such
code on paper, is another Constitutional problem.

Although the Supplementary Information section states that only the initial
export is subject to the notification requirement, it is still not clear
how this regulation would apply to persons who run "mirror" sites or archive
sites on the Internet. Many such sites automatically copy web pages from
one location and make them available in another. These sites are not reviewed
for content; indeed such review would be so onerous as to prevent the sites
from carrying any sites that might contain encryption source code. Would
notification of BXA and NSA by the initial publisher be sufficient? If the
initial publisher fails to make the required notification, would there be
liability for the mirror or archive sites?

Also, is a subsequent notification required for every update or bug fix made
to an encryption program? Many open source programs are developed on Listservs
and through other mechanisms wherein the source is constantly evolving. What
is the thresholdfor subsequent notifications?

Finally, the chain of liability for failure to make such notifications is
not specified in the regulations. In the case of source code that is developed
interactively among many persons, and hosted on computers owned by others,
who is responsible to ensure that notification occurs? What about in the
instance of university-owned computers that host web sites where students
can post software? Is the university liable if the student fails in his/her
duties under the new regulations? Is the university responsible for monitoring
all postings made on its system by students to ensure that no encryption
software is posted without notification to BXA and NSA? Can
a university or other party simply send you a general notification that
encryption software might be posted on its site (for instance, www.berkeley.edu)
and thereby fulfill its requirements?

C. Reporting Requirements for ENC Software

The regulations require that those publishing software that is categorized
as ENC (except if it is transferred to a subsidiary) present bi-annual reports
to the agency about certain recipients of the code. No such requirement is
applied to source code published on paper. It is also not required for source
code published under TSU. The First Amendment makes no applicable distinction
between speech that is sold and speech that is given away; we see no
constitutional basis for applying more onerous restrictions on publication
of speech that is to be sold or is subject to a licensing or royalty fee
than speech that is not. Does this reporting requirement apply to ENC software?

D. Definition Issues in the Distinction Between Paper and
Electronic Media

The EI regulations continue to distinguish "encryption source code in electronic
form or media (e.g., computer diskette or CD ROM)" from encryption source
code set forth in "printed material." 15 C.F.R. Sec. 734.3, Note to paragraphs
(b)(2) and (b)(3). The distinction appears to be based on "scannability."
61 Fed. Reg. 68572, at 68575 (Dec. 30, 1996).

Yet this distinction is confusing for a host of items that are not clearly
paper or electronic, or that can shift between the two. Please classify each
of the following proposed export situations into whether the export is of
"printed material" or of material "in electronic form or media":

i. A person prints encryption source code on paper and then faxes it overseas?

ii. A person writes source code on a computer and uses a fax-modem to fax
it overseas?

iii. Does it matter whether the recipient receives the source code on a fax
machine that prints it on paper or on a fax-modem where no paper is produced?

iv. Does it matter if a person uses an electronic medium to transmit source
code not as a text file but as an electronic "picture" (e.g., as a GIF, JPEG,
or Postscript file) that would have to be processed by character-recognition
software into text before it could be understood by a computer, is that export
considered to be "print" or "electronic"?

v. A person gives a presentation that features encryption source code that
is broadcast or Webcast around the world. Does it matter whether the broadcast
is analog or digital network such as DirecTV or streaming images on the Internet?
(Note: this what happens now with many lectures at Stanford University, which
operates an "instructional TV" network). Does it matter if Professor Bernstein
knows that the network can be seen in Iran?

vi. Does it matter if the presentation is made on a blackboard, overhead
projector laptop, or Powerpoint slides?

Finally, we remain concerned that even as to encryption source code set forth
in "printed material," the government "reserves the option to impose export
controls on such software for national security and foreign policy reasons."
61 Fed. Reg. 68572, at 68575.

2. Technical Assistance

A. Object Code

We are also unclear on how TSU and technical assistance intersect with object
code. Professor Bernstein regularly engages in public and private communication
to help people use his software. He writes web pages explaining how to compile
and run his software. If he receives email with further questions, he responds
to the email, and sometimes adds the same information to a public list of
"Frequently Asked Questions" on his web pages. He provides similar information
in person to students in class and to colleagues at conferences.

Professor Bernstein intends to do the same for his encryption software. Do
you interpret helping a foreign person create compiled encryption software
from source code exported under TSU constitute "technical assistance" if
the compiled software, i.e., object code, remains controlled as ECCN 5D002?

We note that, for all other software, the public availability exemption provides
that if the source code is publicly available, so is the object code.

See question G(1) in Supplement No. 1 to Part 734:Question G(1):
Is the export or reexport of software in machine readable code subject to
the EAR when the source code for such software is publicly available?

Answer: If the source code of a software program is publicly available, then
the machine readable code compiled from the source code is software that
is publicly available and therefore not subject to the EAR.

B. Extent of Coverage

The Supplementary Information section of the EI regulations states that 15
C.F.R. Sec. 744.9 does not apply when those who use TSU "provid[e] assistance
to foreign persons working with such source code." What does "working with"
mean? Does it include "working with" the foreign person to modify the source
code in any way? Does it include "working with" the foreign person to compile
the source code into object code? Does it include assistance with writing
new software, not derived from the TSU software, which is intended to "plug
into" TSU software or intended to interoperate with TSU software?

C. Scienter

The technical assistance "scienter" provision remains vague. This has been
a problem throughout this litigation that does not appear to be solved by
the new EI regulations. Would assistance in the compilation of source code
to make object code, such as instructions on a web page, be included? What
if the web page was added at the request of a foreign person? What about
informal discussions at conferences or otherwise, as opposed to formal papers
presented that seem to be covered by the TSU exception? What about private
consulting that Professor Bernstein might do to further develop his publicly
available source code and object code for a private party or at the request
of a foreign colleague?

If 744.9 does not apply to general situations of "working with" foreign persons,
what about foreign persons in the terrorist nations? This situation can easily
arise if a person in Iran downloads Prof. Bernstein's TSU-published source
code and then sends him e-mail about it. Assuming he had acted in accordance
with TSU when he put his source code on the Web, and thus did not "knowingly
export" the source code to Iran, is he in any way hampered in "working with"
the Iranian person, so long as he does not provide "encryption source code"?

Please note that these are not theoretical questions; all of these questions
have faced Professor Bernstein in the past or face him currently.

3. Definitions

A. "Express agreement for the payment of a licensing fee or royalty
for the commercial production or sale of any product developed using the
source code."

Professor Bernstein intends to publish encryption source code in traditional
scientific journals and books, including journals and books that are available
through the Internet. Traditional scientific publishing houses require that
authors transfer copyrights for source code, and all other works, to the
publishers. Under those copyrights, one cannot sell software derived from
the source code without paying royalties to the publisher.

EI Section 740.13(e)(1) does not provide any relief for source code ``subject
to an express agreement for the payment of a licensing fee or royalty for
commercial production or sale of any product developed with the source code.''

This phrase is extremely unclear and, although 740.13(e)(1) and question
16 provide that this phrase is not triggered by "intellectual property
protection, such as a copyright, by itself," it is not at all clear what
would trigger this clause. It is especially unclear since copyright
protection itself sets up a situation where a person would have to pay a
licensing fee or royalty for further use of the source code.

i. What does "subject to an express agreement'' mean "where a contract has
been offered,'' or "where a contract has already been formed''? Does this
mean that the publication itself would trigger the clause, or that the clause
would only be triggered when the royalties were negotiated? When the royalties
were due? What if the copyright notice contains the royalty provisions, as
some shareware notices do?

ii. What does "product'' mean? Does this mean object code? Does it include
republication of the source code in a database or compilation? Suppose one
has a contract with a publisher for a book about cryptography containing
encryption source code, and it provides for book royalties?

iii. What does "commercial'' mean?

iv. Can liability under this clause be traced back to the author of the source
code if the copyright has been assigned and the royalty goes to the publisher?

v. Can liability under this clause be traced back to the author of the source
code if he retains some form of copyright under his agreement with the publisher
and, for instance, shares in any royalties or licensing fees paid?

Under most interpretations, this phrase, perhaps inadvertently, appears to
cover the standard scientific publishing situation described above. Scientific
publishing houses will continue to be subject to heavy civil and criminal
penalties for making encryption source code available through the Internet.
Professor Bernstein is concerned that publishers will turn down encryption
source code rather than risk prosecution.

B. Source Code vs. Object Code

The EI regulations generally distinguish source code from object code, which
apparently turns on the "level" of language in which the software is written.
Programming languages, however, exist at more than just "high" and "low"
levels. For instance, software for human reading and study is often written
in assembly language or other "intermediate" languages. [insert Dan's example]
Is such software treated as source code?

Furthermore, many common programming languages, like Perl and LISP, are
interpretive languages that do not divide into source and object code levels;
strictly speaking, software written in such languages is not "compiled" but
rather "interpreted." See 15 C.F.R. Part 772, Encryption object code ("Computer
programs containing an encryption source code that has been compiled . .
. . ). Are interpretive languages and other types of programs that do not
fit the regular source/object model treated as source code or object code?

C. Knowledge

We are concerned about the definition of "knowledge." The EAR defines this
term as encompassing "know," "reason to know," or "reason to believe". We
assume that this definition was crafted primarily for general exports. For
Internet speech and thus for First Amendment purposes, however, we believe
that "awareness of a high probability" of a condition's "existence or future
occurrence . . . . inferred from a person's willful avoidance of facts" sweeps
far too broadly. Your Question and Answer section states that knowing means
"i.e. direct transfer or e-mail" (question 15) which seems to be narrower
than the general EAR definition. Do you interpret the term "knowledge" under
the new regulations to encompass the definition of the term used elsewhere
in the EAR? If not, please explain the differences.

D. Open Cryptographic Interface

The EI regulations now define "open cryptographic interface." ("OCI"). However,
the definition seems to sweep in all source code programs, at least under
interpretations previously made by BXA (that all source code is "modifiable
by the user", and thus that source code is "a mechanism which is designed
to allow a customer or other party to insert cryptographic functionality
without the intervention, help or assistance of the manufacturer" under the
definition). Now, section 740.17(f) states that this restriction is not
applicable to "publicly available" source code, but source code that is not
"publicly available" is still protected expression under the First Amendment.
What distinguishes encryption source code programs that are OCIs from those
that are not? Is a library that provides functions related to encryption,
such as RSA's BSAFE or SSLeay, always an OCI?

E. ENC issues

15 C.F.R. Sec. 740.17(a)(5)(iv) states that foreign products developed for
commercial sale using ENC source code or general purpose toolkits are subject
to reporting under (g)(3). Who has the duty to report? There also appears
to be a scienter conflict in ENC. 15 C.F.R. Sec. 740.17(a)(5)(i) prohibits
"knowing[] export" of ENC source code to terrorist nations, while 15 C.F.R.
Sec. 740.17(a)(3)(iii) ("retail") permits "free or anonymous downloads."
But 15 C.F.R. Sec. 740.17(b) states that "[n]o encryption item(s) may be
exported or reexported under this license exception to" the terrorist nations
without making allowances for these provisions.

F. Recapture

Suppose a person publishes encryption source code on a Web site under TSU
and a foreign person produces a "product" containing that source code or
a modification thereof. Does the first publisher have any duties as a result
of the foreign person's conduct? Is there anything that the foreign person
could do on his own that would cause the first publisher to be liable?

G. Intersection With General Public Availability

TSU provides that encryption source code published under TSU is "released
from 'EI' controls." Once the source code has been so released, it would
seem that the source code is no longer ECCN 5D002. Does that mean it is eligible
for true public availability such that it is release?

The EI regulations continue to require licenses for much protected speech
(source code that is not "publicly available"; source code that qualifies
as an "open cryptographic interface"; and various forms of object code) without
the procedural safeguards required by Freedman v. Maryland and
City of Lakewood v. Plain Dealer and as described by both the
9th Circuit panel and the District Court in this case.

For example, encryption source code that is not publicly available is covered
under license exception ENC can be "exported" 30 days after receipt by BXA
if BXA does nothing. But BXA can extend the prior restraint indefinitely
simply by "otherwise notif[ying]" the "exporter" during the 30 day period.
15 C.F.R. Sec. 740.17(e)(1). We note that a 30-day review period is a prior
restraint period that is significantly longer than those accepted by the
courts under Freedman. Most are no longer than 4-7 days.

Further, nothing in the regulations limits either the duration of the prior
restraint or agency discretion to impose it; once it is imposed it is unclear
when, if ever, the restraint will be reviewed by a court. The regulations
do not require the government to go to court. Also, judicial review of licensing
decisions is available today only because the EAA expired and the EAR are
authorized under IEEPA; should the EAA be reauthorized, the constitutional
problems will be even worse.

* * * * *

We recognize that this is a fairly long set of questions. However, we believe
this is the result of your decision to promulgate extremely complex regulations
that create many new categories and sub-categories of treatment for encryption
items. We were hopeful that, instead, the Administration would chose to simplify
regulation of encryption items, such as by treating them as all other software
regulated under the EAR, or by simply deregulating them entirely. Nonetheless,
we do appreciate the efforts you've made to liberalize the EI controls.

We have tried to organize these questions to give you the opportunity to
address sets of issues together and, we hope, to clarify them, both for our
client and for the many others affected by them. As always, please do not
hesitate to contact me with any questions or concerns.